Attorney Docket No.: 63795-0007 
Application No.: 09/874,292 



Amendments to the Claims: 

This listing of claims will replace all prior versions, and listings, of claims in the application: 
Listing of Claims: 

1 . (Currently Amended) A method for detecting unauthorized intrusion in a network 
system, comprising the steps of: 

receiving packet level activity information from the network; 

collecting sequential samples of sorted port specific activity information from the 
received packet level activity information for each IP/user; 

converting packet level activity into human behaviors and activities for each IP/user, 
including assigning a binary representation (l=present 0=absent) to each human behavior and 
activity ; 

converting the sorted IP/user behavioral activities into behavioral measures of expertise 
and deception as measures of underlying intent for each IP/user in order to generate an 
assessment, wherein the assessment is made for every possible combination of behaviors and 
activities whether or not such combinations of behaviors and activities have been previously 
encountered ; 

monitoring s e qu e ntial d e t e rminations of th e conv e rted human int e nt b e havioral m e asur e s, 
for th e duration that e ach IP/user is in th e n e twork, wherein th e monitoring st e p includ e s 
d e t e rmining n e w and pr e viously und e t e ct e d misus e b e haviors as indicat e d by incr e as e d int e nt 
l e v e ls of e xpertis e and d e c e ption; and executing at least one of a network connection blocking 
action or passive gathering of tracked intent information for any given IP/user based upon the 
assessment indicating that the i£monitored expertise and deception m e asur e s exceed intent 
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thresholds that indicate misuse network activity und e rlying non misuse network activity, 
wh e r e in th e st e p of monitoring includ e s: 

id e ntifying pr e s e nc e of at l e ast on e activity from th e port sp e cific activity information; - 

assigning a binary r e pr e s e ntation (1 ~ pr e s e nt, 0~abs e nt) to the at l e ast one identifi e d 

activity; and 

g e n e rating an ass e ssm e nt bas e d upon th e binary rating . 

2. (Cancelled) 

3. (Previously Amended) The method according to claim 1 , wherein the step of generating 
an assessment includes associating the binary rating with an assessment based upon 
predetermined behavioral criteria. 

4. (Original) The method according to claim 3, wherein the step of generating an 
assessment includes mapping the assessment on at least one two-dimensional grid. 

5. (Original) The method according to claim 4, wherein the step of mapping occurs 
dynamically and in real-time. 

6. (Previously Amended) The method according to claim 1 , wherein the step of generating 
an assessment includes generating a profile of the IP/user based upon the monitored behavioral 
measures. 

7. (Previously Amended) The method according to claim 1 , wherein the step of generating 
an assessment is carried out utilizing a back propagation network. 

8. (Original) The method according to claim 7 wherein the back propagation network 
includes psychological assessment information. 
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9. (Previously Amended) The method according to claim 1, wherein the assessment is one 
of high deception/high expertise, high deception/low expertise, low deception/high expertise and 
low deception/low expertise. 

10. (Currently Amended) The method according to claim 1 , wherein the blocking action 
includes sending a blocking command to a firewall for blocking further network access if high 
deception and/or high expertise exceeds the threshold . 

1 1 . (Original) The method according to claim 1 , wherein the tracking action includes storing 
activity information in a tracking module. 

12. (Currently Amended) A system for preventing unauthorized intrusion in a network 
system, comprising: 

a traffic sorter that receives a copy of the network activity and sorts all activities by 
IP/User for the purpose collecting sequential samples of each IP/user's activities^ehaviors; 

an activity monitor operatively coupled to the traffic sorter for sequentially monitoring 
converted human intent behaviors and activities by IP/users; 

an inter-port fusion module operatively coupled to the activity monitor that fuses 
assessments from one or more assessment engines that monitor behavior measures by IP/User; 
and 

an outcome director operatively coupled to the inter-port fusion monitor that determines 
whether to block or track IP/users on a specific IP/User basis based upon assessed behavioral 
measures of intent, wherein the assessed behavioral measure of intent are made for every 
possible combination of behaviors and activities whether or not such combinations of behaviors 
and activities have been previously encountered and, wherein the activity monitor includes at 
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least one dedicated behavior monitor, wherein the at least one dedicated behavior monitor 
includes an activity /behavior analysis module, an activity translator module and an assessment 
module and wherein the assessment module includes a trained back propagation network 
wherein the assessment module includes a trained back propagation network. 
Claims 13-15 Cancelled 

16. (Previously Amended) The system according to claim 12, wherein the back propagation 
network includes psychological assessment information. 

17. (Previously Amended) The system according to claim 12, wherein the traffic sorter 
receives packet level activity information from the network and sorts the port specific activity 
information from the network into IP/Users. 

18. (Previously Amended) The system according to claim 12, wherein the activity monitor 
monitors the port and across-port specific activity information. 

19. (Previously Amended) The system according to claim 12, wherein the activity translator 
module assigns a binary rating based upon presence (1) or absence (0) of at least one 
activity/behavior detected by the packet level analysis module. 

20. (Previously Amended) The system according to claim 19, wherein the assessment 
module generates an assessment of levels of expertise and deception present in any sample of an 
IP/User's overall activities/behaviors for a collection interval. 

21 . (Previously Amended) The system according to claim 19, wherein the assessment 
module maps the assessment result utilizing at least one of a two dimensional grid or X 
dimensional grid for optional real-time viewing of a user's intent for each sequential collection 
interval. 
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22. (Original) The system according to claim 20, wherein an outcome director initiates at 
least one of a blocking command or a tracking command based upon the assessment result. 

23. (Original) The system according to claim 22, wherein the blocking command is directed 
to a system firewall. 

24. (Previously Amended) The system according to claim 23 in which a blocking command 
results in the loss of the connection between an IP/User and the network and the storage of all 
relevant session data up to the point of forced loss of the IP/User's connection to the network. 

25. (Original) The system according to claim 22, wherein the tracking command is directed 
to a tracking module. 

26. (Original) The system according to claim 24, wherein the tracking module includes a 
tracking database for storing activity information that may be used to provide evidence of an 
intruder's harmful intent activities and at least one intent assessment during a session. 

27. (Original) The system according to claim 26, wherein the tracking database includes 
neural network assessment and associated information for the intruder that is at least one of 
tracked or blocked. 

28. (Original) The system according to claim 27, wherein the tracking database includes a 
comparison module for comparing the neural network assessment and associated information 
against a second assessment based upon a second network intrusion. 

29. (Original) The system according to claim 28, wherein at least one of a blocking or 
tracking action is executed based upon an output from the comparison module. 

30. (Currently Amended) A system for detecting unauthorized intrusion in a network system, 
comprising: 
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sorting means for sorting sequential samples of IP/User specific activities/behaviors by 
and across ports ; 

first conversion means for converting packet level activity into human behaviors and 
activities for each IP/user, including assigning a binary representation (l^present 0=absent) to 
each human behavior and activity; 

second conversion means for converting the IP/User specific activities/behaviors to 
behavioral measures of expertise and deception as measures of underlying intent for each IP/user 
in order to generate an assessment, wherein the assessment is made for every possible 
combination of behaviors and activities whether or not such combinations of behaviors and 
activities have been previously encountered; and 

blocking means for executing at least one of a network connection blocking action or 
passive gathering of tracked intent information for any given IP/user based upon the assessment 
indicating that the monitored expertise and deception exceed intent thresholds that indicate 
misuse network activity monitoring m e ans op e rativ e ly coupl e d to th e s orting m e an s for 
monitoring s e qu e ntial d e t e rmination s of th e conv e rt e d b e havioral m e asur e s for th e duration that 
e ach IP/us e r is in th e n e twork and for d e t e rmining n e w and pr e viously und e t e ct e d misus e 
b e haviors as indicat e d by incr e as e d int e nt l e v e ls of e xp e rtis e and d e c e ption, wh e r e in th e 
monitoring m e an s furth e r id e ntifi e s a pr e s e nc e of at l e ast on e activity from th e port sp e cific 
activity information, assigns a binary repr e s e ntation (1 - pr e s e nt, 0~abs e nt) to the at l e ast on e 
id e ntifi e d activity; and g e n e rating an ass e ssm e nt bas e d upon th e binary rating; and 

ass es sing means op e ratively coupl e d to th e monitoring m e ans for g e n e rating separat e and 

ind e p e nd e nt IP/us e r ass e ssm e nts based upon th e b e havior m e asur es. 
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3 1 . (Currently Amended) A computer program product, comprising: 

a computer usable medium having computer readable code embodied therein for 
preventing unauthorized intrusion into a computer network, the computer program product 
comprising: 

computer readable program code configured to cause the computer to process a 
copy of network activity in real-time to collect sequential samples of sorted port specific and 
non-port specific activity information for each IP/user from packet level activity information 
received by the computer network; 

computer readable program code configured to cause the computer to covert the 
packet level activity into human behaviors and activities for each IP/user and convert the sorted 
IP/user behavioral activities into behavioral measures of expertise and deception as measures of 
underlying intent for each IP/user in order to generate an assessment, wherein the assessment is 
made for every possible combination of behaviors and activities whether or not such 
combinations of behaviors and activities have been previously encountered: and 

comput e r r e adabl e program cod e configur e d to caus e th e computer to monitor 
s e qu e ntial d e t e rminations of the conv e rt e d human int e nt b e havioral m e asur e s, for th e duration 
that e ach IP/us e r is in th e n e twork, wher e in th e monitoring st e p includ e s d e termining n e w and 
pr e viously und e t e ct e d misus e behaviors as indicat e d by incr e as e d int e nt levels of e xp e rtis e and 
d e c e ption and wh e r e in th e monitoring st e p includ e s id e ntifying a pr e s e nc e of at l e ast on e activity 
from th e port sp e cific activity information, assigning a binary repr e s e ntation (1 ~ pr e s e nt, 
0~abs e nt) to th e at l e ast on e id e ntifi e d activity; and g e n e rating an ass e ssm e nt based upon th e 
binary rating; and 
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computer readable program code configured to cause the computer to execute at 
least one of a network connection blocking action or passive gathering of tracked intent 
information for any given IP/user based upon the assessment indicating that if monitored 
expertise and deception m e asur e s exceed intent thresholds that indicate misuse network activity 
und e rlying non misuse n e twork activity . 

32. (Previously Amended) The method according to claim 1, wherein the step of receiving 
the port and non-port specific activity/behavior information includes creating a copy of the 
network activity sorted by users. 

33. (Previously Added) The method according to claim 1 , further including the step of 
sorting non-port specific activity information from the received packet level activity information 
by IP/user; and converting the non-port specific activity information to human behavioral 
measures of intent. 

Remarks 

Claims 1, 3-12 and 16-33 are pending. By this Amendment, claims 1, 12, 30 and 31 are 
amended. Reconsideration in view of the above amendments and following remarks is 
respectfully requested. 

Applicant gratefully acknowledges the courtesies extended by the Examiner to the 
Applicant and Applicant's representative during the Tuesday, December 5, 2006 personal 
interview. The points raised during the personal interview are incorporated herein. 
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